Feds: 3 nabbed for widespread Gozi computer virus

NEW YORK — A computer virus that spread to more than a million computers worldwide, including some at NASA, and produced at least $50 million in illegal profits or losses to victims should be a “wake-up call” for banks and consumers unaware of the threat posed by Internet criminals, a prosecutor said Wednesday.

U.S. Attorney Preet Bharara and George Venizelos, head of the New York FBI office, warned of the growing threat to financial and international security as they announced that a 2½-year probe had resulted in three arrests, two of them overseas, and the seizure of vast amounts of computer-related evidence that will take months or years to fully analyze. They said the Gozi virus had infected 40,000 computers in the United States since 2005, including 190 at the National Aeronautics and Space Administration, along with computers in Germany, Great Britain, Poland, France, Finland, Italy, Turkey and elsewhere.

“This case should serve as a wake-up call to banks and consumers alike because cybercrime remains one of the greatest threats we face, and it is not going away anytime soon,” Bharara said. “It threatens individuals, businesses and governments alike.”

He told a news conference that cybercriminals “believe that their online anonymity and their distance from New York render them safe from prosecution, but nothing could be further from the truth.”

Venizelos said law enforcement had seized 51 computer servers in Romania, along with laptops, desktops and external hard drives, accumulating more than 250 terabytes of information.

“That vast pile of data is almost certain to aid criminal investigation at FBI offices around the country as well as law enforcement agencies around the world,” he said. “It is more than standard boilerplate to say that this investigation is very much ongoing.”

So far, the investigation has produced three arrests, including that of Nikita Kuzmin, who pleaded guilty to computer intrusion and fraud charges in May 2011, admitting his role in creating the virus. The plea was followed by the arrest in November of a co-conspirator in Latvia and another in Romania last month. Extradition proceedings are under way against both on various criminal charges, including conspiracy.

The NASA breach occurred from Dec. 14, 2007, to Aug. 9, 2012, with the most damage occurring between May and August last year, according to documents filed in U.S. District Court in Manhattan. The infected computers sent data without user authorization, including login credentials for an eBay account and a NASA email account, details of visited websites and the contents of Google chat messages.

Mihai Ionut Paunescu, who was arrested in Romania, set up online infrastructure that allowed others to distribute destructive viruses and malicious software, including ones dubbed Zeus Trojan, SpyEye and BlackEnergy, according to a criminal complaint filed against him. The document said Paunescu, a Romanian national residing in Bucharest, was also known as “Virus.”

The Gozi virus was designed in 2005 and distributed beginning in 2007, when it was secretly installed onto each victim’s computer in a manner that left it virtually undetectable by antivirus software.

Deniss Calovskis was arrested in Latvia, where he is a citizen and resident, on charges including bank fraud conspiracy.

Extradition proceedings had begun to bring them to New York for trial.

Authorities say Kuzmin began designing the Gozi virus in 2005 to steal personal bank account information of individuals and businesses in a widespread way. They said he hired a programmer to write the software and began renting it to others for a weekly fee, advertising it on Internet forums devoted to cybercrime and other criminal activities. Beginning in 2009, Kuzmin offered the code to others for $50,000 plus a guaranteed share of future profits, court documents said.

Authorities said Calovskis had training and expertise in computer programming when he was hired by a co-conspirator to upgrade the virus with new code that would deceive victims into divulging additional personal information, such as a mother’s maiden name. Federal authorities sought at least $50 million from Calovskis, an amount they said was obtained through the conspiracy.

Posting a comment to our website allows you to join in on the conversation. Share your story and unique perspective with members of the azcentral.com community.

Comments posted via facebook:

► Join the Discussion

azcentral.com has switched to the Facebook comment system on its blogs. Existing blog comments will display, but new comments will only be accepted via the Facebook comment system. To begin commenting, you must be logged into an active personal account on Facebook. Once you're logged in, you will be able to comment. While we welcome you to join conversations, readers are responsible for their comments and abuse of this privilege will not be tolerated. We reserve the right, without warning or notification, to remove comments and block users judged to violate our Terms of Service and Rules of Engagement. Facebook comments FAQ

Join thousands of azcentral.com fans on Facebook and get the day's most popular and talked-about Valley news, sports, entertainment and more - right in your newsfeed. You'll see what others are saying about the hot topics of the day.